14 DAY TRIAL // Four members of the Missouri House of Representatives and one of their staff have reported their Facebook accounts being hijacked since the beginning of this year.
Democrat Stacey Newman and Republicans Donna Lichtenegger and Dave Schatz are among the state representatives who fell victim to the hackers.
According to Sophos, in Donna Lichtenegger's case, the hackers posted a fake message in her name claiming that that she enjoys receiving free food and other gifts from lobbyists.
The lawmaker later posted an update to warn her fellow state representatives to change their passwords as she was not the only one to have her account hijacked.
She also advised her Facebook fans that the message about the free lobbyist food was fake and was the result of hacking.
"As I was traveling back home this afternoon someone decided to hack into my Facebook and write this false statement about me liking lobbiest [sic.] and getting lots of free food. "First of all I'm not eating most of the food at the Capitol because I've plegded [sic.] to myself to loose the freshman 15 instead of gaining," Mrs. Lichtenegger wrote.
So far, the only connection between the compromises is that all five victims used the Capitol's public Wi-Fi network. There is also a separate secure wireless network for lawmakers.
It's likely that hackers executed a man-in-the-middle session hijacking attack which involves intercepting the victim's HTTP traffic and extracting their session cookie.
This type of attack has been known for years, but it saw wide coverage in the media last year when a developer released a Firefox extension making the whole process extremely easy.
The best protection against session hijacking is using HTTPS instead of HTTP on websites that support it. The most popular ones usually do, but only a few have it activated by default.
Facebook recently introduced an account security setting that makes full-session HTTPS persistent over sessions. However, most applications and the chat feature do not work over such connections because they load external content.
A more technical solution is to route everything through a secure VPN (Virtual Private Network) tunnel when connecting from an open wireless network.